[Openid-specs-fapi] Issue #257: state is required for non-OpenID-Clients now, PCKE should be as well (openid/fapi)
issues-reply at bitbucket.org
Wed Jul 24 14:41:09 UTC 2019
New issue 257: state is required for non-OpenID-Clients now, PCKE should be as well
state can be used to detect CSRF, not code injection
that’s the reason the Security BCP makes PCKE mandatory for any OAuth client
I therefore think we should add this requirement to FAPI R.
More information about the Openid-specs-fapi